How to determine which trojan is packed inside?

Discussion in 'malware problems & news' started by drazenn99, Mar 19, 2010.

Thread Status:
Not open for further replies.
  1. drazenn99

    drazenn99 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    5
    OK,this is my first post,and I hope I am writing at right place.
    I have some file which is infected,and Iknow that but still,I would like to use it.
    I have submitted it to virustotal to check it,and that is where I discovered it is infected,but one thing is bothering me.
    I read the results,and quite few of AVs determined it infected,but when I try to explore what is inside,I stick with NOD32's result-probably a Win32/hacktool variant,and if it is the only thing packed inside,I am alright with that,and I can live with that.
    But other AVs show something generic and some of them say that it is some backdoor trojan which I am not OK with.
    So who should I believe to,NOD AV which gives exact info about malware or others who said that it is something generic?
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Is this a .rar or zip file? If so, I usually open the archive with IZArc, search for the infected file, delete it and keep the remainder. That's worked for years. If it's an exe file that is being detected, I'm not sure anything can be done. If this is some sort of crack or keygen (I honestly don't care if it is, none of my business, I use them occasionally, and you don't need to be "schooled" on the dangers), then I expect the AV to flag it, and there's a pretty good chance it's an FP.

    A hacktool detection sounds like you've got some sort of system tweak program or something (like the old TCP patches that were ALWAYS flagged as malicious).
     
  3. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    If in doubt, leave it out :)
     
  4. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    What's the program? "Hacktool" is often used to classify patch programs or keygens. Whatever it is if you need to run it try it in a sandbox such as Sandboxie first.
     
  5. drazenn99

    drazenn99 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    5
    It is some patch for Internet Download Manager,and I am pretty sure that is false positive also,but what makes me unsure is that I accidentallly discovered it is packed with upolyX,and when I tried to extract it I couldn't,and I was getting message"Don't try to steal our software,so I am a bit in doubt.If someone makes patch to make some app free for the world,why would he make that same patch unextractable,when all we need is a simple registry hack or seraial?
    Im not much into sandboxie,just started to use it recently,and if I have understood well that "virtual" thing,if I run that patch sandboxed,it won't be able to patch the file because it has not any contact with registry and other files,right?
    So,is there any option so I would run that patch sandboxed,but during that run I can watch what exactly it is doing and what is trying to patch?
    Huh,sorry about my bad english,but I hope you have understood me,
    thanks.
     
  6. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    "It is some patch for..."

    IT may be okay, maybe not, but AV & anti malware programs often flag patchers as bad because they alter executables.

    "If someone makes patch to make some app free for the world,why would he make that same patch unextractable,when all we need is a simple registry hack or seraial?"

    In the warez community it's all about the bragging rights. They don't want other warez guys to be able to easily repackage their cracks.

    "I have understood well that "virtual" thing,if I run that patch sandboxed,it won't be able to patch the file because it has not any contact with registry and other files,right?"

    Anything running in the sandbox will think it has patched the file or had contact with the registry. What Sandboxie will do is make a copy of the file to be patched within the sandbox and changes will happen to that file. Registry changes will be stored in the sandbox and anything in the sandbox that checks those keys will be pointed to the sandboxed versions. When you clear the sandbox those changes will be lost, so if you trust it run it again outside the sandbox

    "So,is there any option so I would run that patch sandboxed,but during that run I can watch what exactly it is doing and what is trying to patch?"

    A quick way would be to run it in a sandbox with no internet access, you'll get an error if it tries to connect out. Then look and see what files it altered/wrote. If you want more in depth info then you can run Buster Sandbox Analyzer (see this thread: https://www.wilderssecurity.com/showthread.php?t=259357).
     
  7. drazenn99

    drazenn99 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    5
    Yes,thanks,this BSA is great tool as I can see for now.
    I managed it to work some how but still have some problems to get it compare file and registry differences,but still I can see what is happening inside from text logs.When I click "find differencies",it hangs with message "searching for differencies",probably I've done something wrong,but hope will find a misstake.For now,I have no more ideas where to look for it because I wrote paths as they are and edited sandbox settings too,but still when I stop BSA after it gives no results for differencies,I am getting message "Cant open PEIDOutput.txt" altough I can't even find none in BSA folder.
     
Loading...
Thread Status:
Not open for further replies.